BSCC- Fw: HOTEL ROOM KEYS.......
Jerry Sachs
jsachs at guaranteedpower.com
Thu Apr 26 15:33:58 EDT 2007
It's Just the Key to Your Room
Computerworld surveys 100 hotel card keys to explode an urban myth.
January 16, 2006 (Computerworld) -- Warning: Hotel card keys may
contain personally identifiable data on the magnetic stripe. Is it
fact—or fiction?
"It's an urban legend. It doesn't work," says Joe McInerney, president
of the American Hotel and Lodging Association (AHLA). Nonetheless,
unsubstantiated reports keep surfacing every six months or so, he
acknowledges.
For example, last fall, an IT director at a travel club in Wyomissing,
Pa., told Computerworld that he had found personal information on
magnetic hotel key cards when visiting three major hotel chains. The IT
professional said he read the cards using a commonly available
ISO-standard swipe-card reader that plugs into any USB port. At one
resort, he said, his card key contained credit card information, his
address and his name. He said the hotel expressed surprise when he
showed it the results. His comments, which appeared in a Computerworld
blog in September , created a furor. He subsequently declined to
comment for this story.
As part of a Computerworld investigation into the allegations,
reporters and other staff members who traveled last fall brought back
52 hotel card keys over a six-week period. The cards came from a wide
range of hotels and resorts, from Motel 6 to Hyatt Regency and Disney
World. We scanned them using an ISO-standard card reader from MagTek
Inc. in Carson, Calif.—the type anyone could buy online.
We then sent the cards to Terry Benson, engineering group leader at
MagTek, for a more in-depth examination using specialized equipment.
MagTek also gathered cards from its own staff. In all, 100 cards were
tested.
Most cards were completely unreadable with an off-the-shelf card
reader. Neither Benson nor Computerworld found any personally
identifiable information on them. Based on these results, we think it's
unlikely that hotel guests in the U.S. will find any personal
information on their hotel card keys. There is, however, some debate
among industry experts over whether some older systems could have been
configured to store personal information under specific scenarios.
To understand why personal information is unlikely to appear on hotel
card keys, you must first understand how the technology works.
Electronic locks that use magnetic cards were developed to address
petty-theft problems associated with traditional keys. "Those problems
have virtually gone away," says Brian Garavuso, CIO at Hilton Grand
Vacations Co. in Orlando and chairman of the AHLA's technology
committee. Most keys contain only a room number, a departure date and a
"folio," or guest account code—although other data may be stored on
them as well.
The door locks, which are stand-alone, battery-powered devices, each
contain a sequence of lock codes. The sequence advances when an expired
card is swiped or a new card inserted. The lock also logs when a guest,
maid or other hotel employee has entered the room. Hotel door locks
aren't wired back to the systems at the front desk. Therefore, if a
card is lost and a new card is issued, the room remains unprotected
until the new card is inserted into the lock and it resets. Hotels use
card-key locks because they are relatively inexpensive, make rekeying
easy, include a time limit and provide an audit trail of room access.
Most card keys aren't readable because electronic lock systems use
proprietary encoders and readers. While ISO-standard cards store data
on three tracks on the magnetic strip, hotel lock systems use a
proprietary encoding pattern and encrypt room-key data on Track 3, says
Mark Goldberg, executive vice president and chief operating officer at
magnetic card maker Plasticard-Locktech International LLP in Asheville,
N.C. PLI's name appeared on many of the card keys Computerworld tested.
Only 15% of the cards tested yielded any data using the USB card
reader. The alphanumeric strings did not match any of the users' credit
card numbers, nor was any intelligible text found. At MagTek, Benson
was able to pull up strings of binary data from the cards but could not
decode it. A specialized reader would be needed to decipher it, but
"you won't be able to grab one of those off eBay very easily," he says.
Even then, the data would be unreadable because it is encrypted, says
Mike Scott, new products manager at Saflok, an electronic lock maker in
Troy, Mich.
On the Right Track?
Most electronic lock systems include a card encoder, a user
workstation and server software. That system interoperates with the
property management system (PMS), the software that handles functions
such as reservations, registration and guest billing. The PMS
communicates with the electronic lock system to generate new card keys
and sends billing data to the back-end systems.
A point-of-sale system may also tie back into the PMS to allow the
guest account code on the card key to be used to add charges for meals
or other items to the room bill. In this situation, the account code
exists within Track 2 on the card. This can be linked to the back-end
billing system, where the customer's name, address and credit card
information reside, allowing the guest to charge meals or bar tabs to
the card as though it were a credit card.
Resorts such as Universal Studios use Track 1 as an amusement park
pass and Track 2 for other charges, according to Saflok. While neither
track is encrypted, it typically includes only the folio code. On some
cards, the guest name and folio code may also be printed on the front
of the card itself.
Could credit card data be embedded directly onto the card?
"Technically it's possible, but why would you? It's not needed," says
Garavuso.
Individual hotel-chain properties are often franchised to other owners
that may outsource management to a third party—and may use a variety of
back-end systems. However, although the back-end systems may vary, all
hotel chains require that franchisees use their property management
systems, Garavuso says.
In some resorts or hotels, the systems used in the bar, restaurant or
other concessions may not be tied back to the PMS that contains the
customer billing data. In that scenario, the hotel could choose to
encode credit card data directly onto the hotel key to allow credit
charges to be made, rather than going to the trouble of modifying both
systems. That type of arrangement could explain the experience the IT
director reported to Computerworld.
But is it likely? "If it were an older system, it's possible,"
acknowledges Louise Casamento, director of marketing at PMS vendor
Micros Systems Inc. in Columbia, Md. In the past, people weren't as
conscious of security, and ISO card readers weren't readily available
on the Web, she says. But Saflok's Scott says it's not likely. "I've
been doing this for 15 years, and I've never seen it," he says, adding
that Saflok's system doesn't even have an option to allow the encoding
of credit card data onto its key cards.
"I would have to say that it [would have to be] a very old system—and
they are still out there—that may still allow this," says Jocelynn
Lane, vice president at VingCard AS, a vendor of electronic lock
systems based in Norway. But, she adds, "we've never seen them
compromised." Certainly no system would do it today, she adds.
The only situation where Lane says travelers might find sensitive
personal information on card keys is when they're abroad. "There are
locking systems in Europe that, when you check in, let you enter a
credit card, guest name, everything [on the card]. But never in the
States," she says.
"There are probably 60,000 hotels in the U.S. right now. To say no one
has done it would be presumptuous on my part," says PLI's Goldberg. But
the chances of guests running across the problem, if it exists at all,
are slim. "I would never check into a Holiday Inn and worry about it,"
Goldberg says.
On Apr 26, 2007, at 2:17 PM, David McMillan wrote:
> http://www.snopes.com/crime/warnings/hotelkey.asp
>
> Looks like an urban myth...although not a bad idea to keep the room
> card anyway.
>
> ----- Original Message ----
> From: bugclub101 <bugclub101 at comcast.net>
> To: Bay State Corvairs (MA) <bsc-list at corvair.org>
> Sent: Thursday, April 26, 2007 1:43:01 PM
> Subject: BSCC- Fw: HOTEL ROOM KEYS.......
>
>
> ----- Original Message -----
> From: "MAL DALY" <mdaly at arrow.com>
> Sent: Thursday, April 26, 2007 9:26 AM
> Subject: HOTEL ROOM KEYS.......
>
>
>
> FYI
>
> Subject: HOTEL ROOM KEYS.......
>
>
>
>
>
>
>
> HOTEL ROOM KEYS.......
>
>
>
> Very interesting!
>
> THIS IS SOME GOOD INFORMATION IF YOU TRAVEL...
>
>
>
> Here's something to think about....
>
> Ever wonder what is on your hotel room magnetic key card?
>
> Answer:
>
> A. Customer's name
>
> B. Customer's partial home address
>
> C. Hotel room number
>
> D. Check-in date and out dates
>
> E. Customer's credit card number and expiration date!
>
> ~
>
> When you turn them into the front desk your personal information is
>
> there for any employee to access by simply scanning the card in the
>
> hotel scanner.
>
> `
>
> An employee can take a hand full of cards home and using a scanning
>
> device,
>
> access the information onto a laptop computer and go shopping at your
>
> expense. Simply put, hotels do not erase the information on these cards
>
> until an employee re-issues the card to the next hotel guest.
>
> `
>
> At that time, the new guest's information is electronically
>
> "overwritten" on the card and the previous guest's information is
>
> erased in the overwriting process. But until the card is rewritten for
>
> the next guest, it usually is kept in a drawer at the front desk with
>
> YOUR INFORMATION ON IT! The bottom line is: Keep the cards, take them
>
> home with you, or destroy them.
>
> `
>
> NEVER leave them behind in the room or room wastebasket, and NEVER turn
>
> them into the front desk when you check out of a room.
>
> `
>
> They will not charge you for the card (it's illegal) and you'll be sure
>
> you are not leaving a lot of valuable personal
>
> information on it that could be easily lifted off with any simple
>
> scanning device card reader.
>
> `
>
> For the same reason, if you arrive at the airport and discover you
> still
>
> have the card key in your pocket, do not toss it in an airport trash
>
> basket. Take it home and destroy it by cutting it up, especially
> through
>
> the electronic information strip! (Information courtesy of Pasadena
>
> Police Department)
>
> `
>
> You can also carry along a small magnet and pass it acrossthe magnetic
>
> strip several times, then try it in the door. It will not work. It
>
> erases everything on the card.
>
> MAIL this to friends and family.
>
>
>
>
>
> ________________________________
>
> See what's free at AOL.com
> <http://www.aol.com?ncid=AOLAOF00020000000503> .
>
>
>
>
>
>
> The information contained in this e-mail is legally privileged and
> confidential information intended only for use by the individual or
> entity named above. If the reader of this e-mail is not the intended
> recipient, you are hereby notified that any dissemination or
> distribution hereof is prohibited. If you have received this e-mail in
> error, please delete the material from your computer and immediately
> notify us at 631-396-5000. Thank you.
>
>
> _______________________________________________
> This message was sent by the BSC-list mailing list, all copyrights are
> the property
> of the writer, please attribute properly. For help,
> mailto:bsc-list-help at corvair.org
> This list sponsored by the Corvair Society of America,
> http://www.corvair.org/
> Post messages to: BSC-list at corvair.org
> List info: http://www.vv.corvair.org/mailman/listinfo/bsc-list
> _______________________________________________
> _______________________________________________
> This message was sent by the BSC-list mailing list, all copyrights are
> the property
> of the writer, please attribute properly. For help,
> mailto:bsc-list-help at corvair.org
> This list sponsored by the Corvair Society of America,
> http://www.corvair.org/
> Post messages to: BSC-list at corvair.org
> List info: http://www.vv.corvair.org/mailman/listinfo/bsc-list
> _______________________________________________
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 12763 bytes
Desc: not available
Url : http://www.vv.corvair.org/pipermail/bsc-list/attachments/20070426/820ce7d7/attachment-0001.bin
More information about the BSC-list
mailing list